Re: After DNS update: critical services being blocked from listening on standard TCP/IP ports
- From: rkand@xxxxxxxxxxx
- Date: Thu, 24 Jul 2008 07:38:39 -0700 (PDT)
On Jul 23, 6:22 pm, "Cliff Galiher" <cgali...@xxxxxxxxx> wrote:
Grr, nothing lights my fire more than a little random Microsoft bashing.
First, I'm not a fanboy. There are things that MS does that bug me.
Regularly. But obviously there needs to be a reality check here.
The DNS exploit was BIG. The big players who have seen the data says it is
a
significant issue. Even the few skeptics who had doubts have since changed
course as documented here:
http://www.computerworld.com/action/article.do?command=viewArticleBas...
And it has to be noted that this was a coordinated effort by SIXTEEN
vendors. It isn't like Microsoft unilaterally decided to wake you up each
and every morning.
If they could've done a patch like 2008, they would have. Don't forget that
win2k8 has a significantly rewritten network stack. I gaurantee you that
the fix would not have worked the way you seem to think it would on 2k3.
If you have to contact 10 vendors to get ports for your SBS box then you are
running WAY too much on your SBS box! Sure it is a matter of opinion, but
c'mon! This is your domain controller!!
As for the "rare" occasion that an internet facing app is added to SBS, if
it is SBS certified it wouldn't be tough to make automatically updating a
registry key part of the install. Having repackaged enough programs into
MSI's in my day, I can tell you I could do this to *any* MSI file in 10
seconds with the dreaded MS Orca tool. This *isn't* a sky-is-falling
scenario.
If the server is restarting without you already being awake and being the
person to restart it then you have bigger issues with your server. If you
are a supervisor and have an minion rebooting your server then you should
train them how to resolve this relatively minor issue. Either way, if this
problem is "waking you up" more than once every three months, then it is
time to resolve the flaw in the process, not blame Microsoft for patching a
legitimate and obviously significant security hole. I'll take getting woken
up over getting pwned every time.
Finally, let's not forget that this is what we DO. If you are in this
newsgroup, it is because you are, in some way, responsible for maintaining
or setting up an SBS box. Whether you do it full time, part time, as a
consultant, or as an employee, THIS is what we get paid for. If everything
worked perfectly then there'd be no need for this group, for our jobs, or
for SBS2k8 (because SBS 2000 would've been perfect.) The simple truth is
that this is a significant security issue and I'll take the inconvenience of
updating a registry key over explaining why everybody is seeing porn and
some pop-up pimping a fake AV product declaring they are infected with
20,000 viruses due to a poisoned DNS redirecting them everywhere but where
they want to go.
...like I said, nothing can light a fire under me more quickly than some
random bashing...I'll get off my soap box now.
-Cliff
This is NOT random bashing - I'm not here saying "M$ Sucks!" or "Vista
is bloatware", I'm saying on this issue, Microsoft should be doing
more.
Addressing your points:
"Congratulations MS for releasing a patch"
I never said or even implied that the DNS patch was not required.
"Different Network stack, different patch"
Is it really that hard to change x:x + MaxUserPort to be 65355 -
MaxUserPort:65355? If MS would just answer this it could placate me.
"Running WAY too much for one server"
Yes there's a lot of services being run on our server. I'm sure we'll
be migrating to EBS at some point in the next year or two. But our
current server was running all the software on it just fine before the
DNS patch.
"Fix the installer"
Because vendors are really paying close attention to the SBS Blog? Is
there even such a thing as SBS certification for 3rd party software?
I'm sure most vendors will eventually fix their software or update
their documentation. That doesn't help me now.
"Always monitor a rebooting server"
Maybe, but I've never run across a problem where I've felt I should be
required to do anything more than get up early to check everything's
ok. If Microsoft Updates start causing issues that take hours to fix,
then maybe they should make it patch Friday instead of patch Tuesday.
"This is what we DO"
NO. This was my entire point in my last post. SBS by definition is
server software made to be run by people that aren't server
specialists. I have not taken classes nor do I have any
certifications for Windows Server. My company does not want to pay for
someone who has - we are a small business, and our IT budget is not on
that scale. And as the sole "IT guy" in my company, I have many other
things to be spending my time on. Is this problem too difficult for
me to overcome? Not in the least, but judging by the other questions I
see in this newsgroup, I can't believe this isn't a bigger problem.
.
- References:
- After DNS update: critical services being blocked from listening on standard TCP/IP ports
- From: rkand
- Re: After DNS update: critical services being blocked from listening on standard TCP/IP ports
- From: Al Williams
- Re: After DNS update: critical services being blocked from listening on standard TCP/IP ports
- From: rkand
- Re: After DNS update: critical services being blocked from listening on standard TCP/IP ports
- From: Al Williams
- Re: After DNS update: critical services being blocked from listening on standard TCP/IP ports
- From: rkand
- Re: After DNS update: critical services being blocked from listening on standard TCP/IP ports
- From: Cliff Galiher
- After DNS update: critical services being blocked from listening on standard TCP/IP ports
- Prev by Date: Re: SBS 2003 or NAS ?
- Next by Date: Re: SBS 2003 Exchange Performance Issues
- Previous by thread: Re: After DNS update: critical services being blocked from listening on standard TCP/IP ports
- Next by thread: Re: After DNS update: critical services being blocked from listening on standard TCP/IP ports
- Index(es):
Relevant Pages
|
Loading
